Last week I had the great pleasure of speaking to the Waterloo Region Law Association C-POWR group with my colleague Michael Beairsto. We had a great turn out and a very interesting discussion about Leaky Websites, Encryption Keys & More: Demystifying Privacy Laws & Obligations. Our presentation materials included:

• A Quick Primer on Privacy Basics
• Ad Networks and Analytics
• Geolocation
• Moving Data Hither and Yonder
• Encryption – What is Solves; What it Doesn’t

Last month, the UK Information Commissioner’s Office (UK ICO) published guidance on the application of the Data Protection Act 1998 (UK DPA) to social networking sites and online forums. Although the guidance is specific to UK privacy legislation, the guidance is worth reading by a broader international audience. In particular, the guidance may be of interest to operators of social networking and online forum sites in Canada, given the similarity of some of the underlying principles in Canadian privacy legislation.

The overarching theme of the UK ICO guidance is that organizations must assess the extent to which the UK DPA applies to their activities. In most cases, it will be uncontroversial that the collection and use of subscription data falls within the provisions of the UK DPA. However, organizations must also consider whether the content of posts by users will fall within the UK DPA and the extent of the organization’s responsibilities for the accuracy of that content.

Social Media Activities Attract Obligations

The UK DPA does not apply to individuals who process personal information for their own personal purposes. This is referred to as the “domestic purposes” exemption. However, the UK ICO states that the domestic purposes exemption is not available to organizations engaged in social media activities. The fact that the social media activity is conducted by an individual employee makes no difference if the employee is engaged in the activity on behalf of the organization.

In view of the UK ICO’s guidance, organizations will have obligations in three broad situations:

• if the organization runs a website which allows third parties to add comments or posts about living individuals, and they are a data controller for the website content;

• if the organization or its employees (acting in the course of their duties or with encouragement of the organization) post personal information on the organization’s own website or a third-party’s website; and

• if the organization or its employees (acting in the course of their duties or with the encouragement of the organization) downloads and uses personal information from a third-party website.

As an aside, the UK ICO stated that it considers “it poor practice for an organisation to encourage or allow employees to use their own personal networking pages for corporate purposes.”

Data Controller of User Comments and Posts

One of the most difficult areas is determining the extent to which privacy laws apply to the host of social networking sites and forums in respect of comments and posts by the users of those sites. The obligations of a host under the UK DPA materially expand if the host is a “data controller” of the factual information in the posts.

Whether the host is a “data controller” depends, in part, on the degree to which the host determines the purposes for which and the manner in which the information on the site are processed. Thus, an actively moderated site could make the host a “data controller”. However, the UK ICO also suggests that a host engaged in less intensive moderation could be a “data controller”. For example, a free site with an acceptable use policy reserving to the host the right and ability to remove posts could still result in the host being a data controller.

If the host is a data controller, the UK ICO states that the organization must “take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and is presented as a ‘matter of fact’.” What constitutes reasonable steps will vary with the type of networking site or forum. The UK ICO states it may be sufficient in some cases to:

• maintain clear and prominent acceptable use policies;

• maintain clear and easy to find procedures to dispute the accuracy of posts and to request removal; and

• maintain a procedure to respond to disputes quickly, including procedures to remove posts, suspend posts while the dispute is resolved, or annotate them as disputed.

Distinguishing between a “fact”, which must be accurate, and an “opinion” may not always be easy.

Parallels and Differences in Canada

Although Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is materially different from the UK DPA, there are also some important parallels.

Subsection 4(2) of PIPEDA contains an exemption for the collection, use and disclosure of personal information by an individual solely for personal or domestic purposes. However, like the UK DPA, PIPEDA applies to organizations that collect, use and disclose personal information in the course of commercial activities. The fact that those activities are carried out through an individual employee using a personal account may not on its own to exempt the activities from the scope of PIPEDA depending on the degree of involvement of the organization.

PIPEDA does not expressly use the concept of a “data controller”. However, PIPEDA does require an organization to be accountable for personal information under its “control”. If personal information is under the “control” of the organization, it must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Furthermore, an individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. To this end, the organization must have procedures to receive and respond to complaints regarding the accuracy and completeness of the information.

Determining whether information is under the “control” of an organization is equally tricky in Canada. However, an organization may be considered to “control” information if it has the right to determine whether and under what conditions it is used or produced. The UK ICO’s guidance is of interest, therefore, in assessing how one might interpret the accountability requirements under PIPEDA or distinguish them from the UK DPA.

the Office of the Privacy Commissioner of Canada (OPC) has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an “Internet Privacy Sweep“.

The first sweep takes begins today and continues for a week during which the enforcement agencies will focus on Privacy Practice Transparency.

In Canada, the Commissioners will be reviewing websites to determine whether they have a privacy policy and how difficult it is to locate. The Commissioners will also examine privacy policies to determine whether they contain contact information and to assess the readability of the disclosure.

There are a number of curious features to the Privacy Notice splash page for Canada’s new online tool for making access to information (ATIP) requests.

The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.

1. Transparency

The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.

Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!

What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.

So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?

2. Express Consent

Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:

I have read, understood and agree with the above Privacy Notice.

Why must the user expressly agree to the Privacy Notice?

This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.

What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?

3. Details

Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:

• Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:

For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.

• Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.

That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:

The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.

Is this disclosure adequate? Are private sector organizations just over-complicating matters?

4. Security

There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.

Thoughts?

Asking “why” is a powerful deterrent to over collection and, as a recent Alberta case demonstrates, can be a powerful check on “over disclosure”.

In Order F2013-12, the issue for the Office of the Information and Privacy Commissioner of Alberta was whether the entirety of an accident report created from information collected from the driver of one vehicle should be automatically and routinely disclosed by the police to the other driver involved in the accident.

The form established by the Registrar for the accident report collects the driver’s name, address, date of birth, gender, home phone number, work phone number, and operator’s license.

The case for disclosure looked strong:

• The Alberta Traffic Safety Act requires drivers who are involved in an accident to complete an accident report with the policy.

• The form of accident report is prescribed by the Registrar of Motor Vehicles.

• The police are required to collect the accident report.

• If requested, a driver is required to disclose to the police or anyone sustaining loss or injury, the driver’s name, address, operator’s licence, name and address of the registered owner of the vehicle, licence plate of the vehicle, and the financial responsibility card issued in respect of the vehicle.

• The police are permitted to provide the Registrar with a copy of the accident report.

• The police are permitted to release information in the accident report to a person if the person may be liable to pay damages.

The Freedom of Information and Protection of Privacy Act permitted disclosure of personal information for a purpose in accordance with a law that authorizes or requires disclosure, but only to the extent necessary to carry out the purpose in a reasonable manner.

The Adjudicator agreed that in theory disclosure of an accident report was authorized by law. However, the disclosure provision was permissive – that is, the police had discretion to exercise.

So, why did the police exercise the discretion to disclose the entirety of the report? The Adjudicator didn’t receive a good answer. It seems it was the practice of the police to do so. But the drivers in this case had not asked for each other’s information. Even had they done so, the Traffic Safety Act did not require disclosure of the drivers’ birth dates or telephone numbers. Moreover, no party requested a copy of the accident report.

The disclosure was gratuitous in order that the drivers need not ask for copies of the report and in order to ensure that the drivers meet their obligations to one another. In the result, the Adjudicator ordered the police to cease disclosing more information than was necessary for that more limited purpose – such as name, address and operator’s licence.

Context and content matters to the assessment of reasonable expectations of privacy in criminal law matters.

Recently, in R. v. B. (C.), 2013 CarswellOnt 3851 (SCJ), P. Smith J. considered the constitutionality of a warrantless search and seizure of a camera that was alleged to have been used to surreptitiously film a child in the accused’s residence as well as the seizure (but not search) of the accused’s computer.

According to the allegations, the complainant (a minor) found a video camera in her bedroom containing naked pictures of herself. The police were called to a relative’s house and were showed the pictures on the video camera. While the police were at the relative’s house, the accused showed up and identified the camera. The police took the camera.

Following taking the accused into custody, the police were given access to the accused’s home by other family members and a computer accessed by family members was seized but not searched.

The police then obtained two warrants to search the camera and the computer.

When the accused challenged the search and seizure of the camera, the court ruled that a video camera is different from a mobile phone. The court concluded that a video camera does not have the capability of storing private voice, text, e-mail communications, detailed personal contact lists, agendas and diaries, that are typically stored on a mobile phone. Accordingly, the accused did not have a heightened expectation of privacy.

But, more importantly, when the contents of the camera were first viewed by the police, the ownership of the camera was not yet known. Moreover, any privacy interest that the accused had was, in the court’s view, “relinquished” when the accused “decided to hide it in the bedroom” of the complainant.

Turning to the computer, the court noted that the fact that the entrance to the house was provided by the co-owner and the computer was commonly used by the family, including the accused, made the seizure of the computer “incident to arrest” reasonable in order to preserve potential evidence. The court noted that the computer was only searched after a warrant was obtained.

Some of the reports of this case stress the judge’s conclusion that a video camera is not like a cell phone. That certainly is part of the decision. Content matters. However, context matters as well. The video camera here was presented by the accused. The police were provided with the camera by the complainant and looked at it not knowing who the owner was in order to make a determination of whether to proceed. This is far different from searching and seizing a camera that was under the custody or control of the accused.

The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

• Guidelines for social media and data management companies regarding accountability and openness

• Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent

• Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

Have you heard about the Internet of things? If it is industry’s great opportunity, it might be the Privacy Officer’s brainteaser over the next few years.

Increasingly objects are becoming “smart”. No human intervention is required to record and communicate data, permitting otherwise unconnected objects to interact with one another.

Objects are being embedded with a variety of sensors. These objects collect information about their environment, their operation, and their interaction with other objects. These devices can communicate with each other and with databases through wireless networks. All the of data that these objects collect and produce becomes fodder for analysis in Big Data projects for understanding complex systems.

Even though human intervention is not required; individuals are often interacting with those objects in some way, such that the information is, at least in part, about those individuals.

As the Federal Trade Commission (FTC) puts it:

“Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. The devices can provide important benefits to consumers: they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable pose privacy and security risks.”

For that reason, the FTC is holding a workshop on November 21, 2013 to study the Internet of Things.

FTC will accept submissions on the implications of these developments through June 1, 2013.

The #1 item on my “tough love list” for New Year’s 2013 was “Enough of the Unencrypted USB Keys“.

You won’t have been alone if you didn’t tackle that in the first quarter of 2013.

However, the Information and Privacy Commissioner of Ontario has filmed and posted a “Commissioner’s Corner” that might get this item onto your agenda. Following the latest loss of data in Ontario, Dr. Cavoukian spoke out on the transfer and storage of personal information on unencrypted storage devices.

Some salient quotes from Dr. Ann Cavoukian:

“It wasn’t encrypted; that’s what makes me crazy”

“You cannot allow data, sensitive data especially, to be transferred onto a mobile device, be it a laptop, a USB key, whatever, without encrypting the data”

“It’s not enough to have a policy that says you are supposed to encrypt the data, you have to have that reflected in concrete actions that take that from the policy stage to the front line staff who are doing these things and you have to train the staff […] and you have to give them the means by which they know how to encrypt the data […]”

“Don’t let there be one more data breach like this”

 Message received, Commissioner.

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced three recent settlements demonstrating that organizations would do well to ensure they are complying with Canada’s telemarketing rules.

On April 3, 2013, the CRTC announced a settlement for failure of a company to properly download monthly the National Do Not Call List. This resulted in the company’s dealers calling numbers that were registered. The settlement included a payment of $100,000 and, among other things, a requirement to provide an annual report documenting consumer complaints and the steps taken to resolve them.

On April 2, 2013, the CRTC announced settlements with two organizations who had used automated calling devices (robocalls) in violation of Canada’s Unsolicited Telecommunications Rules. Those rules require express consent to telecommunications through an automatic dialing-announcing device. In addition to administrative monetary penalties of $69,000 and $11,000 respectively, the CRTC’s settlement provided for, among other things, annual reporting to the CRTC for five years documenting customer complaints and steps to resolve them.

Our New Look and International Legal Practice

Welcome to the new look for DataGovernanceLaw.com. Fraser Milner Casgrain (FMC) has become Dentons Canada LLP, and has joined Salans and SNR Denton to form Dentons, an international legal practice. For more on Dentons, visit www.dentons.com.

We are now working together with 2,500 talented lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US.

Two Blogs!

This blog will continue to bring you developments in data governance law, including privacy, e-commerce and consumer protection topics that we think are interesting to you, with a Canadian spin.

We also invite you to visit our sister blog at www.privacydatasecurityblog.com, which will provide you with coverage and commentary from an international perspective on privacy and data security.

What does the future hold in store?

We have always covered international legal developments on this blog because e-commerce and m-commerce are not confined to geographical boundaries and because there is much to be learned from other jurisdictions in this evolving area of the law. I am personally delighted to join our colleagues from the former Salans and SNR Denton. Together, we will be able to provide you with insights regarding best practices in privacy and security and insights regarding data governance from around the world.

Over the coming months, we will be combining our blogs. These are exciting times. I look forward to sharing them with you.

This is the third post in a series on BYOD (bring-your-own-device) and the obligations of directors relating to the protection of corporate confidential information. The first post examined the issue from the perspective of the director’s statutory fiduciary duty and duty of care. The second post made the case for a board information governance policy. This post examines the content of a board information governance policy.

The elements of a board information governance policy will vary with the nature of the corporation, the sensitivity of the information, the importance of the information to the corporation, the technical skills of the directors, and the willingness and financial ability of the corporation to invest in technological solutions. The following is a non-exhaustive list of possible topics for inclusion in a policy.

Scope of the Policy

a. Scope of confidential information

A board information governance policy should define the scope of confidential information. At a minimum, this will include all material, non-public information about the corporation and all personal information collected or used by the corporation. However, the corporation may also owe express or implied duties of confidentiality to third parties, such as suppliers, business partners, shareholders and clients, among others. It is desirable to include this type of information under the policy as well.

b. Application of the policy

A board information governance policy should also describe the types of communications and records that are governed by the policy. Does the policy only apply to communications between corporate officers and the directors or to all records relating to the director’s duties or to specific classes of records? Although the focus of this post is on electronic communications, a board information governance policy may also address printed material.

Information Technology and Security

a. Security requirements on director-owned devices

A board information governance policy might define for directors the minimum security requirements for director-owned or third-party-owned devices. The policy could also provide directors with a point-person who can assist the director in implementing those requirements or assessing compliance with them.

The content of the security requirements should be determined in consultation with the corporation’s technology department. Consideration may be given to requiring that all devices be protected by strong passwords and remote wiping technology. The policy may require operating systems of a particular version or higher with anti-virus protection of a particular version or higher.

In situations where the board is expected to receive extremely sensitive information, the corporation may require the director to agree to permit the corporation to install software allowing the corporation to control the device and wipe the device remotely. A corporation may require that directors receiving or storing highly sensitive information or personal information of employees do so only on encrypted devices.

b. Use of personal or third-party email accounts

The board information governance policy might provide guidance on the use of personal or third-party (e.g. the director’s employer) email accounts. The corporation should consider whether the use of personal or third-party accounts is consistent with the corporation’s record retention and information security policies.

If personal or third-party email accounts are permitted by the corporation, consideration should be given to establishing clear guidelines regarding the terms of service for those accounts, back-up requirements and disaster recovery protocols.

If non-personal third-party accounts are being used, such as an account provided by the director’s employer or another organization in which the director is involved, special attention should be given to determining whether the policies related to those accounts are in conflict with the corporation’s interests. It is not uncommon for employers to claim the right of ownership and the right of inspection of all communications conducted through the employer-provided email account.

Records Management

a. Commingling of information

A board information governance policy should establish the corporation’s expectations regarding the commingling of corporate information with the director’s personal information or information related to the director’s employment or duties in connection with other corporations.

In addition to assessing whether commingling presents problems relating to the corporation’s records retention programs, consideration might be given to whether commingling creates an unacceptable risk of inadvertent disclosure.

The corporation should also consider electronic discovery issues in the event that the corporation’s information must be extracted for litigation. This is not simply an inconvenience issue. Is the corporation prepared to have its records reviewed in the course of another company extracting information related to litigation involving that other company?

b. Records retention and destruction obligations

A board information governance policy may address special records retention and destruction obligations relating to board materials and communications.

For example, what is the corporation’s policy regarding corporate records in the possession or control of the director at the end of his or her service? Are all records to be destroyed? If the director will retain the records, is it necessary for the corporation have an express agreement with the director to maintain those records for a minimum period of time and to provide the corporation with access to the records as may be required?

Another special issue may be records relating to committee work, including special committees appointed to review major transactions. Not infrequently the corporate secretary and management directors will be excluded from the work of these committees. Consideration should be given to whether and how those records will be retained without interfering with the independence of the work of those committees. If those records are to be retained, how will they be retained if the directors are using personal or third-party information technology and email accounts?

Even the basic application of a corporate records retention policy may involve special adaptation to the board. For example, if a director is using an email system controlled by a third party, such as the director’s employer, is the records retention policy applied to that email system in conflict with the corporation’s records retention schedule. Will directors during and subsequent to their service be asked to destroy records in accordance with a records retention schedule? Should any special consideration be given to records relating to the board’s conduct during major corporate transactions, such as mergers and acquisitions or dispositions?

c. Litigation hold obligations

A board information governance policy might clarify the director’s obligations with respect to the preservation of electronic records in the event of litigation. The policy may require directors using their own devices and personal email accounts to provide access to those devices and accounts for the purposes of preserving and gathering information that is relevant to the litigation. A board information governance policy will also describe the limits on that access. For example, it may be unreasonable to demand access if the director has been sued by the corporation or in situations where the corporation refuses to provide a defence to the director or is otherwise adverse in interest to the director.

Additional issues should be addressed if directors are permitted to use email accounts and information systems that are not controlled by the directors, such as those controlled by the director’s employer. Will the director be responsible for ensuring that the third party will provide access to those systems for the purpose of preserving and gathering relevant electronic information?

Communications Protocols

a. Special Classes of Communications

A board information governance policy may also set out protocols for handling particular types of communications. Prior to developing these protocols, the corporation may wish to employ a risk analysis of the likelihood and consequences of a breach of confidence relating to particular classes of communications.

A protocol for quarterly financial information might require password protected or encrypted formats. Directors may be prohibited from communicating about undisclosed financial results by email unless password protected or encrypted. Similarly, information relating to proposed executive compensation may be sufficiently sensitive to warrant special procedures. Communications and documents relating to a merger, a major acquisition or disposition, or litigation might be restricted to secure portals through which directors could access information and communicate with one another.

Protocols may also restrict communications to certain electronic addresses. For example, the board information governance policy may require directors to use designated email addresses for communication and not resort to text messages, instant messaging services or PIN messages or forwarding email from a work account to a personal account at the cottage. These alternative methods of communication may be convenient when dealing with a major, urgent event, but may also create security, record retention and litigation management problems precisely when those issues matter most to the corporation.

Informational Conflicts of Interest

a. Sharing information with corporate parents or subsidiaries

A board information governance policy could also address potential conflicts of interest relating to information. For example, in the case of cross-appointments between parents and subsidiaries, what are the duties of directors regarding corporate information? Appellate courts in Canada have yet to wrestle to the ground the problems created by information sharing in a corporate group, although one appellate court has commented in a judicial aside that it seemed impractical to say that the directors of a subsidiary can never tell its secrets to the parent company. Nevertheless, should there be official, documented channels of communication in order to manage issues where there may be emerging conflicts of interest or where sharing of information might result in a loss of privilege?

b. Sharing information with nominating or appointing shareholders

There is significant potential for informational conflicts of interest in the relationship between a director and his nominating or appointing shareholder. Leaving aside securities laws issues relating to selective disclosure, the basic corporate rule appears to be that the director is required to maintain confidentiality. This may, of course, lead to a conflict between the director’s duties to the corporation and the director’s duties to his or her nominating shareholder.

A board information governance policy may address this situation directly for the mutual protection of the director, the corporation and the shareholder. The policy may require official, documented channels of communication. The policy may also address whether in these circumstances it is appropriate for the director to use email accounts, devices or information systems owned or controlled by the shareholder, in order to avoid the perception of impropriety.

Building Board Capacity and Compliance

a. Assistance and Education

Although directors may have a statutory duty to supervise the management of the corporation, non-management directors may not know who within the organization to call to get assistance or how to obtain information on technological issues associated with complying with their duties to protect the corporation’s information.

Consideration might be given to providing directors with direct access to a knowledgeable information technology and security professional who can assist the director in securing his or her devices and home networks and troubleshoot issues that the director has. The simple act of setting up a separate email folder on a smartphone or assisting the director in installing personal, remote wiping software may greatly enhance the security of the corporation’s information.

Depending on the technical sophistication of the directors and the technology and security complexity of the corporation’s information governance and records retention standards, corporations may also wish to consider providing education to directors upon first appointment and periodically thereafter.

b. Breach Disclosure

Directors should also have a clear understanding of their obligations with respect to what the corporation considers to be a breach of confidentiality as well as the director’s duty to report a breach. Directors should understand the protocol for losing a tablet, laptop or smartphone containing corporate confidential information.

c. Self-Audit and Review

Board self-evaluation might include consideration of whether directors and the corporation are complying with the board information governance policy. Periodic review of the board’s actual practices against the information governance policy is advisable not only to enhance compliance but also to ensure that the information governance policy is practical and does not become an unintended liability in litigation as a result of not being followed.

The security and information governance issues that arise with “bring your own device” or BYOD are not restricted to employees of the corporation. These issues also affect information governance practices when communicating with the board of directors. In my previous post in this series, I examined the duties that directors have in safeguarding corporate information and the questions that directors might ask themselves in assessing whether they are being prudent and diligent.

This post examines the case for a board information governance policy. The last post in this series will address the elements of a board information governance policy.

The purposes of a board information governance policy

The fundamental reasons for developing a board information governance policy are (1) to establish expectations regarding the standard of care the directors are expected to bring to the management of corporate information and (2) to assist directors through corporate procedures and technology in fulfilling their duties to protect that information.

The special position and risks of BYOD and directors

Directors occupy a special position within the corporation. Except with respect to matters reserved to shareholders, the board of directors are the ultimate decision-makers. Information that they receive is likely to be highly sensitive corporate financial and strategic information, which may not become publicly known until authorized for disclosure by the board.

The board of directors of a public corporation will be comprised of at least some non-management directors. Unlike senior officers and management directors, these “independent directors” are unlikely to be working on corporate-owned or corporate-controlled devices. These directors may not even use corporate-controlled email accounts. Instead, these directors may be using personal email accounts or those of their employer. Electronic communications with these directors and among the directors as a group will, therefore, be mediated through non-corporate-controlled information technology systems, notwithstanding that the directors are likely to be dealing with some of the most sensitive information of the corporation.

Independent directors are also more likely to have other employment or sit on the boards of other corporations. This introduces the possibility of the commingling of the corporation’s information with information of third parties in a way that will complicate the application of the corporation’s records retention and security policies.

Consider, for example, the simple issue of a corporate information security department being able to remotely control the corporate director’s mobile device to enforce security protocols. If a director is also using the same device to receive information from his or her employer and another corporation on which he or she sits as a director, who, if anyone, should have control over that mobile device? What are the consequences if the device is remotely wiped by one corporation resulting in the loss of information relevant to the other corporation?

The case for the board information governance policy

The utility of a board information governance policy is that it provides the flexibility to recognize that the information governance challenges at the board level and with senior officers communicating with directors may be different from those relating to other employees. It provides an opportunity for the directors to set out a set of guidelines to govern their information practices and heightens attention to cybersecurity issues at the board level at a time when security regulators are increasingly requiring corporations to disclose material cybersecurity risks and breaches.

The next and last post in this series outlines the elements of a board information governance policy.

The information security concerns relating to employees using their own devices for work (such as smart phones, netbooks and laptops) are a hot topic. Although “bring your own device” or BYOD is here to stay, the practice of employees using their own devices for employment duties creates information governance challenges.

What about the role of BYOD at the level of the board of directors? Corporate officers, including the corporate secretary, frequently communicate with board members through electronic means. Directors are also likely to communicate with one another between meetings through electronic means. It is not uncommon that these electronic communications may include preliminary evaluation of strategic matters, legal advice, draft employee compensation arrangements, material contracts and draft financial reports.

This post examines some of the duties of directors with respect to the use of their own devices and email accounts. Subsequent posts will set out the case for a board information governance policy and examine some of the elements of such a policy.

Is it really a problem?

Before dismissing the information governance challenges related to electronic board communications, consider the following questions:

• How often is information sent to directors at personal email addresses or to email addresses belonging to other companies that may employ the director?

• Does the corporation have a good handle on the device and security standards being used by directors when they are handling some of the most sensitive material non-public information of the corporation?

• What assurance is there that third-party technology policies do not create rights in the information sent to those third-party accounts, such as, for example, when a director is employed by another company?

• What happens if confidential information is retrieved and stored on a director’s personal device and the device is lost or stolen or lacks security protection? Is the device capable of being wiped?

A director’s duty of to protect corporate information

A director has a duty to bring the care, diligence and skill of a reasonably prudent person to the protection of confidential corporate information.

Directors owe a statutory duty of care in fulfilling their obligations to the corporation. Paragraph 122(b) of the Canada Business Corporations Act, RSC 1985, c C-44 (CBCA), for example, provides that directors and officers must “exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances”.

In addition to the duty of care, directors of Canadian business corporations owe a duty of loyalty to the corporation. The duty of loyalty is a common law duty that has been incorporated into most corporate legislation in Canada. For example, paragraph 122(a) of the CBCA provides that every director must act honestly and in good faith with a view to the best interests of the corporation.

The Supreme Court of Canada has described this “statutory fiduciary duty” as including a duty to maintain the confidentiality of information acquired by being a director. This statutory duty also typically prohibits directors from using information acquired by virtue of their position for personal gain.

Even leaving aside the fiduciary duties of a director, a duty of confidence may arise anytime a person receives information that has a quality of confidence about it in circumstances in which there is an express or implied obligation of confidentiality.

Issues for directors to consider

The care, diligence and skill to be exercised by a reasonably prudent director depend on the circumstances. There is, therefore, no single prescriptive information governance practice that will fulfil a director’s statutory duty of care. The types of controls that a director may wish to consider deploying depend on the sensitivity of the information and its importance to the corporation.

Below is a checklist of questions that a director may wish to review as part of determining whether the director’s information governance practices are consistent with, and capable of, fulfilling the director’s duties of confidentiality to the corporation.

Device and Network Security

• Is the device only used by the director or is it shared with other people, such as family members?

• Are all devices on which the director views electronic communications and material secured by a strong password (at least 8 characters containing at least one number, one capitalized letter and one symbol) and protected by anti-virus software that is frequently updated?

• Are all devices on which the director stores corporate information encrypted? If not, are there particular types of information that should not be stored on those devices, such as personal information of employees and officers or material non-public information relating to merger discussions or financial results?

• Is the device enabled with a remote wiping technology in the even that it is lost or stolen?

• Is the director using the device when connected to wifi? Does the director use secure wifi connections? Is the director’s home network protected by a firewall?

Account and Information Security

• Does the director access information through a secure portal? If not, are there particular types of sensitive information that should only be available in this way?

•  Is the director receiving information through an email address to which others have access, such as an administrative assistant? Should those third parties be bound by a confidentiality agreement?

• Is the director receiving information at a personal email address or an email address belonging to another corporation? If so, is this appropriate for all types of information? Do the terms of service of the personal email address provider or the terms of use of another corporation’s email policy permit access to the email account by third parties? Are those third parties governed by confidentiality agreements?

• Is the email account protected by a strong password? Is email encrypted when transmitted? Are email and other electronic records encrypted when stored?

• Is the email address provided as part of a cloud-based service? If so, does the director understand what limitations there are on that service?

• Does the director have the technical skills to understand whether information retained on the device is being collected, used or stored by other applications without the director’s knowledge?

Document Management

• Is the director storing electronic records on a third-party’s system? If so, are the records password protected or logically separated from records that can be viewed by others? For example, are records received by the director stored on his or her employer’s systems in a manner that would permit others to view or otherwise inspect those records?

• Does the director print material? Is that material stored in a secure location? Who else has access to the information?

Records Retention

• Does the director have the technical and administrative capability to comply with the corporation’s records retention policy? For example, does the corporation’s records retention policy require retention of emails between directors about the corporation’s business for a defined period of time? Is the director able to ensure compliance?

• If the director is using the email or electronic storage services of another corporation in which he serves as an employee, will the director have access to that email if he or she is no longer employed by that corporation? If not, has provision been made to migrate those records in the event of retirement or dismissal?

Litigation

• Does the director have the technical and administrative capability to comply with a litigation hold in the event that litigation arises and records created, retained or received by the director are responsive to the issues in the litigation?

• Has the director mixed personal and business uses on the device in a way that will make it more likely that the director’s personal records or records relating to his or her duties to another corporation will need to be inspected in the event the device must be produced for litigation purposes?

• These issues may be daunting for directors. However, there are technological solutions. Directors may wish to consider more structured ways to receive board information, such as through secure portals or third-party cloud based board communication service providers.

In subsequent posts on this topic, I’ll look at these issues from the perspective of the corporation embarking on creating information governance policies for the board.

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

• Main takeaways from recent Canada and U.S. guidelines
• Dealing with Address Book Information
• Online Behavioural Tracking and Analytics
• Geolocation Data
• Collecting Information from Children
• Transparency and Accountability in Design
• Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

The use of personal email for business is a significant problem for records retention and privacy programs.

On March 18, 2013, the British Columbia Information and Privacy Commissioner (OIPBC) announced an investigation into the use of personal email accounts by public servants in that province. Although the investigation is taking place in a public sector context, the investigation is also relevant for organizations in the private sector.

Records Management Obligations

Communications taking place outside of the organization’s email records management system may not be captured in compliance with the organization’s records management system. The OIPBC reminds public servants in Guidelines on the Use of Personal Email Accounts for Public Business (released on March 18, 2013) that personal email may still be subject to the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA).

FIPPA applies to records in the custody or control of a public body. A record will be under the control of the organization if (a) the record relates to a departmental matter and (b) the government institution could reasonably expect to obtain a copy of the record upon request. The OIPBC’s general rule is that “any email that an employee sends or receives as part of her or his employment duties will be a record under the public body’s control, even if a personal account is use.” These records may, therefore, be subject to access to information requests even though the organization does not have possession of the email record.

This isn’t just a public sector problem. For example, subsection 23(1) of the British Columbia Personal Information Protection Act (“PIPA”), which applies to private sector organizations in British Columbia, provides that an organization must provide an individual with the individual’s personal information under the control of the organization. There is no obvious reason why the meaning of “control” in PIPA should be narrower than FIPAA.

Information Security Obligations

The OIPBC also expressed concern regarding the security of personal email in the Guidelines. This issue applies equally to the public and private sectors. Depending on the service used by the employees and whether copies of the email are downloaded to unencrypted devices, the email may be stored in an insecure environment.

Private organizations should be aware that section 34 of PIPA requires the organization to protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. Organizations may be faulted for turning a blind-eye to the practice of employees using personal email systems that do not provide for adequate security. In assessing the risk, organizations should consider whether they would have breach notification responsibilities in the event an employee’s personal email was compromised and that email contained personal information collected by or on behalf of the organization.

Even leaving aside the possibility of a breach, organizations should consider whether employees transmitting personal information outside of the administrative, technical and physical security controls established by organization would violate representations made by the organization in its public privacy policies.

An adjudicator of the Office of the Information and Privacy Commissioner of Alberta (OIPC) has concluded that the Personal Information Protection Act (Alberta) (PIPA) applies to the Legal Aid Society of Alberta. The decision is of broader interest because it continues the trend to interpret the definition of “commercial activity” broadly, resulting in the application of PIPA to the activities of many non-profit organizations.

PIPA applies to non-profit organizations when engaged in a “commercial activity”. Pursuant to subsection 56(1) of PIPA, a “commercial activity” means any transaction, act or conduct, or any regular course of conduct that is of a commercial character. Pursuant to subsection 56(3) of PIPA, non-profit organizations are subject to PIPA in respect of personal information that is collected, used or disclosed by the non-profit organization in connection with any commercial activity carried out by the non-profit organization.

The Legal Aid Society of Alberta provides legal assistance to individuals in defined areas of the law on a means-test basis. In the case that gave rise to the complaint, the applicant sought assistance from the Legal Aid Society on two separate occasions but was refused representation (although the second time he was provided with limited advice and referral information). The applicant then sought access to his file at the Legal Aid Society. The Legal Aid Society provided copies of the staff lawyers notes from one of the applicant’s interactions, records relating to the appeal of the determination of whether to provide him with representation and confirmed certain other facts. The applicant complained to the OIPC relating to certain alleged failures of the Legal Aid Society in addressing his access request. The adjudicator’s decision did not consider the alleged failures.

Instead, as a preliminary matter, the adjudicator considered whether PIPA applied to the Legal Aid Society. In particular, the adjudicator considered whether the Legal Aid Society was engaged in a commercial activity when collection, using or disclosing the applicant’s personal information. In assessing whether the Legal Aid Society’s activities were commercial, the adjudicator accepted the following principles:

• a commercial activity is of a trade-like or business-like nature;

• an exchange of consideration, while important to establishing a contractual relationship, was not an essential characteristic of a commerical activity;

• profit-making need not be the “predonderant” purpose of the activity to make it commercial;

• the activity need not be commercial in itself, provided that it is of a “commercial character”; that is, an activity that is “more or less commercial” or one that would “appear to be commercial by most accounts”; and

• The fact that an activity confers a public benefit or could also be characterized as charitable was irrelevant to whether it is a commercial activity for the purposes of PIPA.

Focusing on the fact that the Legal Aid Society “meets with prospective clients and decides whether to provide legal services, which might be performed by a private lawyer engaged by the [Legal Aid Society] or by its own staff lawyers, the adjudicator concluded that there was very little to distinguish the Legal Aid Society from a private law practice or business. Both were carrying out a trade or business. Moreover, the adjudicator concluded that it would be arbitrary to treat clients who partially reimbursed the Legal Aid Society for services differently from those who did not.

On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a summary of findings in two cases arising out of inappropriate sharing of information between two summer camps about a child following an online application for a summer camp spot.

The issue arose when the child’s legal guardian completed an online application for a position at a camp. The child had spent the previous two summers at a different camp. The OPC report of findings notes that the child is disabled. During the online application process, the legal guardian accepted an “Additional Agreement”, which, according to the OPC, provided that “camp directors, at their discretion, could use the information supplied in applications for any means.”

The prospective camp contacted the first camp and asked questions about the child’s history at the previous camp and the level of support that the child required as a camper. The exchange came to light when the prospective camp allegedly refused the child’s application on the basis that the child could not be supported at the camp and that the “child’s disabilities would not be fair to other campers.”

Although the camps claimed that sharing of information about children was commonplace in order to assure that campers have a successful summer, the camps were members of the Ontario Camps Association, which adheres to a Code of Professional Ethics, requiring camps to adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The previous camp did not obtain any form of consent to the disclosure of a child’s application history or experience at the camp. This was a fairly open and shut violation of the requirement of PIPEDA to obtain consent to the disclosure of personal information.

However, the prospective camp defended against the complaint on the basis that the legal guardian had consented to the collection, use and disclosure of personal information about the child when the legal guardian accepted the “Additional Agreement”.

Not so, found the OPC.  The “Additional Agreement” was too general and overly broad to obtain meaningful consent to the collection, use and disclosure of personal information.

“This Office does not share the view of the first camp’s director that the complainant’s consent was obtained by her agreeing to the terms of the application she submitted, including the terms of the application’s “Additional Agreement”. We examined the application as well as that organization’s privacy policy and believe that the general statements regarding how the information supplied is to be used are overly broad and not sufficient to obtain consent to collect personal information from a third party as part of the enrolment process.”

The prospective camp made four errors:

• The prospective camp used information in the application to conduct a background check on the child by contacting the previous camp.

• The prospective camp disclosed information to the previous camp in order to elicit information about the child.

• The prospective camp collected information from the previous camp.

• The prospective camp used the information from the previous camp in order to evaluate the child’s application.

The OPC findings with respect to the previous camp, can be found here. The OPC findings with respect to the prospective camp can be found here.

On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings in connection with a complaint that an employee at a mobile phone company improperly altered a phone contract of a customer at the direction of an unauthorized party.

The facts of the case, as reported by the OPC, were relatively straightforward. The stepson of a customer was authorized to use a phone on his stepfather’s account. The stepson visited a mobile phone store and requested changes to his services. The stepson impersonated his stepfather. Bad on the stepson, perhaps, but the OPC concluded that the employee did not follow the mobile phone store’s customer validation process. In particular, the employee did not request identification to authenticate the customer by means of two pieces of identification. The changes requested by the stepson generated a new three year contract. Trouble was that the stepson was not authorized to make those changes and the stepfather was none too pleased.

The employee might have just been trying to be helpful, but the OPC found two violations of the federal privacy principles established by the Personal Information and Electronic Documents Act (PIPEDA).

• Principle 4.3: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”

The use of the real customer’s personal information to renew the contract was not done with that customer’s consent.

• Principle 4.7 and 4.7.1: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access disclosure, copying, use or modification.”

There were procedures in place but the employee violated them, thereby failing to protect the personal information from unauthorized use.

Are your employees aware of these principles and that they apply to them? Maybe understanding that these principles are not just the ravings of a compliance department but are also federal law might help convince them that these principles are important.

The Federal Trade Commission (FTC) released a Staff Report on February 1, 2013, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.” The FTC Staff Report follows on the heels of earlier recommendations by the California Attorney General (AG), released in January, in a report entitled “Privacy on the Go: Recommendations for the Mobile Ecosystem.”

The FTC Staff Report is particularly notable for articulating a gatekeeper function for platform providers in the mobile app ecosystem. The Staff Report and the California AG Recommendations recognize that there are distinct players in the mobile app market – platforms that provide the operating system and marketplaces; developers of the apps; and advertising networks. Each of the FTC Staff Report and the California AG Recommendations target these different players with recommendations.

However, it appears that FTC Staff see the platform providers as particularly amenable to regulation because they are the focal point for the interface between users and app developers.

“[…] platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving privacy disclosures.” (FTC Staff Report, p. 14)

FTC Staff asserted that the platforms “use the plethora of apps offered on their devices as a significant marketing tool” (p. 14). The inference appears to be that the platforms have fair trading obligations to ensure that the apps they distribute meet privacy standards.

As gatekeepers, FTC Staff want platform providers to:

• Require developers to make privacy disclosures;

• Enforce privacy disclosure standards;

• Educate developers on privacy issues;

• Be responsible for providing “just-in-time” disclosure for the collection of geolocation data and other sensitive data;

• Be responsible for obtaining consent for the collection of geolocation data and other sensitive data;

• Develop a “dashboard” to allow consumers to review what types of content is being accessed by Apps on their devices;

• Develop icons to notify the user of the transmission of user data;

• Establish a do-not-track (DNT) option at the platform level to allow consumers to make a one-time choice; and

• Provide consumers with disclosure regarding the extent of review that the platform undertakes prior to making the app available as well as any compliance checks or reviews after the app is made available on the platform’s market store.

The approach to platform providers as a potential gatekeeper and enforcer is different from that California AG’s report, which focused on the educational role that platform providers could play.

Other highlights from the FTC Staff Report and the earlier California AG Recommendations are:

• DNT or bust? FTC Staff continue to call on the industry to develop a “DNT mechanism that would prevent an entity from developing profiles about mobile users” (FTC, p. 21). The DNT mechanism must be (i) universal, (ii) easy to find and use, (iii) persistent, (iv) effective and enforceable, and (v) apply to more than just advertisements (FTC, p. 21).

• “Just-in-Time” and “Surprise Minimization”. The FTC Staff Report emphasizes “just-in-time” or contextual disclosure and obtaining express affirmative consent at the point in which it is going to matter to consumers – that is, just prior to collection (FTC, p. 15). The California AG’s basic approach is to “minimize surprises to users”. The emphasis is on clearer, shorter notices. Organizations should not rely on privacy policies alone but also supplement those notices with alerts delivered “in context and just in time” (AG, p. 5).

• Icons – but which ones? Privacy icons are the future; however, FTC Staff want to see consumer testing to ensure efficacy (FTC, p. 16).

• Privacy by Design. The California AG continues to emphasize privacy as the default and the limiting of collection, use and retention to what is necessary to complete the function for which the data was required (AG, p. 9).